January 16, 2005

Between a Rock and a Hard Place - Part 2

A few days ago I had some things to say about a database theft that took place at T-Mobile. The original story was in the Register and to me seemed to be very slanted against T-Mobile and the US Secret Service.

The following day a story appeared in Computer World with a somewhat different take on the incident. I think we should compare and contrast - because I find the differences fascinating. So, if you don't like tech stories... it's time to move on or skip down the page a bit.

The Computer World account is a bit more terse, sounding more like a news story than a diatribe of the big bad company and the USSS versus the poor little customer. But it's not just the tone of the two stories, factually there are some huge differences. The differences are so big between the two stories, I wonder if either of them is correct.

For brevity sake CW = Computer World : TR = The Register

CW: A malicious hacker penetrated the network of mobile phone company T-Mobile USA Inc. and accessed information on 400 of the company's customers, including sensitive information from the account of a U.S. Secret Service agent, according to statements by T-Mobile and the Secret Service.
TR: Jacobsen could access information on any of the Bellevue, Washington-based company's 16.3 million customers, including many customers' Social Security numbers and dates of birth, according to government filings in the case. He could also obtain voicemail PINs, and the passwords providing customers with web access to their T-Mobile email accounts. He did not have access to credit card numbers.

My comment: If no one noticed, there is a really big difference between the numbers 400 and 16.3 million. Did he have access to all the database names, or only a small portion of them? We don't know - T-Mobile could be telling the truth or it could be downplaying. And TR may be using the largest number it can find for shock value.

CW: T-Mobile claims it discovered an intrusion in October 2003 and reported it to the USSS
TR: the T-Mobile breach came to the attention of the USSS in March 2004 through a hacker chat room. The USSS then informed T-Mobile of the theft of records.

My Comment: Who is right here? I have no idea. TR says it got its info through court records. So unless we could see the court records, we can't tell if their info is correct or if T-Mobile is correct. We all know how accurate any factual information can be when it's being siphoned through a reporter.

CW: The company said Jacobsen is believed to be involved in other attempts to access customer information and said it is cooperating with the Secret Service in investigating those allegations.
TR: But Jacobsen was not charged with the others. Instead he faces two felony counts of computer intrusion and unauthorized impairment of a protected computer in a separate, unheralded federal case in Los Angeles, currently set for a 14 February status conference.

My Comment:The CW story says there is still more investigation going on around Jacobsen, whereas TR story wants us to believe all the investigation part is done and they are trying to cut a deal with him. And TR implies that the Secret Service is holding out, claiming it can't speak about Jacobsen's case when it will talk about others arrested on that day. This reticence on the part of the USSS makes more sense if CW is right and the investigation continues even though they have already charged Jacobsen with some crimes.

CW: Customers whose accounts were allegedly accessed by Jacobsen were notified in writing about the breach, in accordance with California law, in early 2004 -- after the company received clearance from the Secret Service. T-Mobile said it is unaware of any problems with those accounts stemming from the hack.
TR: T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning.

My Comment: Either they did or they didn't warn customers... but if you look carefully you'll see TR never accuses T-Mobile of not telling customers involved that their information was compromised. It merely states that there was no "public" warning. Even in TR they say:

Under California's anti-identity theft law "SB1386," the company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.

Show me the part that says T-Mobile has to go to major newspapers and spell it out in headlines... As long as they warned all the customers involved, they have covered the necessary legalities. Whether or not people like the fact that they can "get away" with sending out letters instead of pasting it on the front page of the NYT - is beside the point.

Both stories agree that a Secret Service agent was using his T-Mobile account to store case information. But where TR story stops there, giving the implication is that the USSS is incompetent at best, the CW story goes to the trouble to follow up with the Secret Service.

The unnamed Secret Service agent violated rules that forbid sensitive documents from being copied to other computer systems, Cherry said. He would not comment on whether the agent would be punished for the breach of policy.

Ah - it seems that it is not the policy of the USSS to compile case data on unsecured computers. I had wondered about that. Considering that TR identifies the agent in this way...

Cavicchia was the agent who last year spearheaded the investigation of Jason Smathers, a former AOL employee accused of stealing 92 million customer email addresses from the company to sell to a spammer.

I can't quite figure out if TR has the correct agent or not. It would seem that Mr. Cavicchia should certainly know better than to rely on an untrusted network. Especially if he investigates computer crime for a living! But The Register gives us no indication how they got the name of the agent involved. I wonder if the information is correct or if the unnamed source (talked about later in the article) threw out a name and the author ran with it, trusting the source.

I stand by my original conclusions about why T-Mobile and the USSS would proceed with handling the case in this manner. I also stand by my original view that The Register story is highly slanted. That does not mean that I think the Computer World story is completely correct. As far as I know - either or both stories could be severely wrong. But, I tend to view with great suspicion , any story (such as the one by The Register) that goes to such lengths to try and make people angry without giving them the background facts on computer security. Without those facts, the average reader would not have the information needed to make a good decision on whether or not the right thing is being done.

Posted by: Teresa in WebTech at 07:15 PM | Comments (5) | Add Comment
Post contains 1220 words, total size 8 kb.

January 12, 2005

Between a Rock and a Hard Place

Over at Electric Venom, Kate appears to be a bit annoyed with T-Mobile and the US Secret Service...

You’d think you’d hear about it if a hacker broke into the servers of one of the nation’s largest cellular phone providers. You’d think you’d read it in the news if the hacker’s access allowed him to access the DOB, password and Social Security Number of any of the company’s 16.3 million customers… information that he offered for sale on the internet.

Well, yeah, you might think so. It also sounds pretty damning to read an article detailing what appears to be bumbling ineptitude or callous indifference to the plight of the poor customers of this company. After all, they knew the information was stolen, they should have been putting it out there in big screaming headlines, so all those customers would know it.

Or should they?

Our tendency as human beings is to relate an incident we discover to something we can comprehend. Unfortunately cyber crime, in this case theft of data, really is different than the old fashioned act of breaking and entering to steal paper files. What seems so very cut and dried on the surface, can cause even bigger and better problems down the road.

According to court records the massive T-Mobile breach first came to the government's attention in March 2004, when a hacker using the online moniker "Ethics" posted a provocative offer on muzzfuzz.com, one of the crime-facilitating online marketplaces being monitored by the Secret Service as part of Operation Firewall.

I hope you read that quote carefully... the theft was NOT reported by T-Mobile. Ponder this for a moment. The Secret Service found out about it through a hacker site which means T-Mobile did not know that the breach occurred. No where in the article is it mentioned that T-Mobile knew HOW their system was hacked. It merely states that they confirmed the information was valid. That is a huge point.

As anyone who must take care of computer security will tell you, if you don't know where the hole is... you can't plug it! Yes, they could easily confirm that the information is valid, but how did it get out? Was it someone from inside the company? Outside the company? Did they get through the firewall? Did they download the file from a local terminal to a removable media and walk out with it? Did they attach themselves to a laptop via a wireless connection at Starbucks? Did someone open a previously unknown trojan file that sent out the info? The list of questions is as endless as there are ways to break into systems.

Unfortunately, knowing how they did it is vital to other companies too. A previously unknown hole in the operating system, a flaw in a firewall, excellent social engineering, etc etc etc, could leave other companies wide open to the same type of attack that T-Mobile suffered. In that case, consideration must also be given to keeping things quiet while trying to figure out what was done and how. Once the news is shouted in CAPS on the front page of every newspaper, the people who did it will very likely go to ground, taking their methods and the data with them.

Let's just posit this scenario... the breach is found at T-Mobile, they decide - we're warning our customers, that's more important than anything else. Two years later Big Mega Bank has exactly the same breach with even more data lost along with millions of dollars. They find out at this time, it's the same group who pulled off the T-Mobile job. In order to spin this to their advantage - they spread the word to all the major news outlets that "Two years ago the USSS blew it. If they had only kept quiet and investigated the original crime, this new mega crime wouldn't have happened.

But it doesn't even have to involve another company... let's say T-Mobile goes right out and warns their customers. What if they never figured out how the data was stolen? What's to prevent this from happening again? and again? And before you know it - one of the country's largest cell phone companies folds up as customers go elsewhere for their phone service. All those people... out of work... not a pretty site at all.

Last of all, we should, at the very least, think about the person writing the article. The entire tone is certainly slanted to make the USSS and T-Mobile look very bad.

On 28 July the informant gave his handlers proof that their own sensitive documents were circulating in the underground marketplace they were striving to destroy.

This looks really bad for the USSS until you find out that one of their agents was using T-Mobile for much of his work duties...

The agent was also an adopter of mobile technology, and he did a lot of work through his T-Mobile Sidekick - an all-in-one cellphone, camera, digital organizer and email terminal.

So, if the hackers had access to all the information about customers, why is it so odd that they would be able to access the account of a Secret Service agent? The really surprising thing here is that the USSS allowed the use of unsecured technology to gather data on their cases. If they haven't changed this since the case has come to light - THEN they are certainly being negligent. But that information is never presented... it certainly doesn't take much spin to make lots of people look bad now does it?

I especially like the last touch

The same source also offers an explanation for the secrecy surrounding the case: the Secret Service, the source says, has offered to put the hacker to work, pleading him out to a single felony, then enlisting him to catch other computer criminals in the same manner in which he himself was caught. The source says that Jacobsen, facing the prospect of prison time, is favorably considering the offer.

Well, that sort of settles it for the hacker... he'll never be able to function as a mole now unless he's really good at concealing his identity.

One thing you have to understand about computer geeks in general - they tend to have a supremely low opinion of any government agency. Sometimes deserved, sometimes not. But ANY time the government or a large business makes an attempt to work at security - they are slammed from all angles by these guys. It doesn't seem to matter that you have to start somewhere and you have to work at closing all the holes. If they consider that hole to be "insignificant" they will sneer and deride making it sound like some idiot with an IQ of 39 is in charge of running all computer related projects.

I recently saw good evidence of this when some large companies were banning camera phones in the work place. The sneer ran "there are soooo many other ways to get info out of the workplace, banning camera phones is just stupid". Well, maybe, but it does stop one more way that someone can walk out with that valuable data... Or maybe we should only lock the front door because we all know burglars NEVER come in through the side door.

Posted by: Teresa in WebTech at 03:42 PM | Comments (2) | Add Comment
Post contains 1223 words, total size 7 kb.

January 03, 2005

That's Right Just Make Me Feel Old...

Over at Slashdot, Cliff is asking

Years ago, kids could be gradually introduced to computers through learning languages like LOGO and educational computer games. Many of us started our computing careers at our parent's workplace, logged in to a word processor to type away, only to become fascinated with the whole computing thing. So Slashdot, let's hear how you were lured into the digital life. What was it that drew you to a life of programming? How old were you when you first used a computer? What pieces of modern software do you think would be a good way to introduce today's kids to the world of computing?

I never even touched a computer until I was 30... yeah that's right THIRTY years old. That was when my husband got hold of a Mac to bring home for one night. (we could not afford a computer at the time) I turned it on, looked at the screen, clicked on one or two of the few icons on the desktop and thought... what am I supposed to DO with this thing?

No, I am not very inventive. I need to have a reason to use something like a computer. Just turning it on and not having a goal in mind or a task to complete, I'll sit like an idiot for several minutes then go do something else. To me it was like being handed a calculator for the first time... very cool, but unless I had math to do, I had no pressing urge to play with it.

What my husband and I did do at that time was to evaluate our options. We decided that the most cost effective thing with the biggest return in later income was for me to go to school and get a degree in Computer Science. It took me 5 years (had to backtrack on the math part - plus I could only go part time since the kids were in need of my time too) but I finally finished. Now I am on my computer all day long. I still like what I do and that's a great thing. I'm still not very inventive - but it doesn't seem to be necessary any more. I find plenty to do without having to make up things!

And yes the title of the post is still valid... it makes me feel very old to think that when I was a kid the personal computer wasn't even a gleam in the eye of Steve Jobs... Did I ever mention that I freaked out all the youngsters in my first programming class? They couldn't believe that I not only did not have any kind of PC available in High School, but that I never even had a calculator to use for my math classes. They seriously had no idea that there were log charts in the back of math texts or that sliderules were the norm... and that was years ago... *sigh* yeah, I feel old.

Posted by: Teresa in WebTech at 11:49 AM | Comments (4) | Add Comment
Post contains 506 words, total size 3 kb.

<< Page 1 of 1 >>
45kb generated in CPU 0.02, elapsed 0.0307 seconds.
69 queries taking 0.0123 seconds, 231 records returned.
Powered by Minx 1.1.6c-pink.